Congressional Reps Pushing CISPA Cybersecurity Bill Don't Even Know How To Secure Their Own Websites

from the don't-regulate-what-you-don't-know dept

One of the big concerns we've had over politicians trying to regulate technology, is how gleefully ignorant they often seem to be about the technology they seek to regulate. It's no different with the cybersecurity bill CISPA. We've been asking for months for some actual evidence that shows that we really need a cybersecurity bill, and all we get are fanciful stories about planes falling from the sky and hackers taking down powergrids. If either thing was possible, the real response shouldn't be to set up a cybersecurity bill, but to disconnect those key infrastructure pieces from the internet.

Either way, we're learning, once again, that the backers of CISPA don't seem to know the slightest thing about "cybersecurity." Actual cybersecurity expert, Chris Soghoian has highlighted how the key sponsors of CISPA fail at basic cybersecurity for their own websites, raising serious questions about their competence in writing a cybersecurity bill.

Congressmen Rogers and Ruppersberger are, respectively, the chairman and ranking member of the House Intelligence Committee. Although it is no secret that most members of Congress do not have technologists on staff providing them with policy advice, we can at least hope that the two most senior members of the Intelligence Committee have in-house technical advisors with specific expertise in the area of information security. After all, without such subject area expertise, it boggles the mind as to how they can at least evaluate and then put their names on the cybersecurity legislation that was almost certainly ghostwritten by other parts of the government - specifically, the National Security Agency.

So, given that these two gentlemen feel comfortable forcing their own view of cybersecurity on the rest of the public, I thought it would be useful to look at whether or not they practice what they preach. Specifically, how is their own information security. While I am not (for legal reasons) going to perform any kind of thorough audit of the two members' websites or email systems, even the most cursory evaluation is pretty informative.

Take a wild guess what he found. First, he looks at whether or not they use HTTPS. As he notes, "It is now 2012. HTTPS is no longer an obscure feature used by a few websites. It is an information security best practice and increasingly becoming the default across the industry." So, what did Soghoian find? It appears that neither Reps Rogers nor Ruppersberger do a very good job securing their own sites. He finds some sites without any HTTPS at all, and the others have it configured incorrectly.

When I manually tried to visit the HTTPS URL for Congressman Ruppersberger's website last night, it instead redirected me to the Congressional Caucus on Intellectual Property Promotion. Soon after I called the Congressman's office this morning to question his team's cybersecurity skills, the site stopped redirecting visitors, and now instead displays a misconfiguration error.

He notes that there is really no excuse for these configuration errors, because the House appears to be setup with an HTTPS server, and other Reps. have it properly configured on their site. Not much really needs to be done. However, the fact that other Reps have set up HTTPS really raises concerns about these two Reps and their staff when it comes to cybersecurity:

The webserver that runs all of the house.gov websites is listening on port 443 and it looks like Akamai has issued a wildcart *.house.gov certificate that can be used to secure any Congressional website. As an example, Nancy Pelosi's website supports HTTPS without any certificate errors (although it looks like there is some non-HTTPS encrypted content delivered from that page too.) This means that the Congressional IT staff can enable HTTPS encryption for Rogers, Ruppersberger and every other member without having to buy any new HTTPS certificates or setting up new webservers. The software is already all there - and the fact that these sites do not work over HTTPS connections already suggests that no one in the members' offices have asked for it.

Rep. Rogers, of course, recently stated that he's so concerned with the threats of cybersecurity that he literally "can't sleep at night." Funny, then, that he never bothered to make sure his own website was secure, huh?

Pudding of Proof!

It's a scam!

It's as though the congress-critter are saying "See, if I leave my garage wide open and unlocked with a sign that says "free stuff" people will totally steal my tools! Thus, logically, there needs to be a law against people going into garages they don't own."

Re:

There are two additionally-important reasons to use https when accessing a website:

1) your surfing habits cannot be tracked by 3rd parties (aka, your ISP tracking where you go and what you do). This is important for privacy - of course, CISPA wouldn't want that to be a reality anyway.

2) you want to avoid middle-man attacks - that goes both ways. In theory, someone in the middle can inject incorrect information into a website you are visiting if it's not secured via https. ISPs have been known to do this by injecting their own ads into the site, but anything can be done, malicious or otherwise.

Of course, again, governments would like to keep those doors open, screw the public - they don't need any sort of privacy or protection.

whoa! i hope Chris Soghoian covered his tracks well. they'll be doing him for hacking if he isn't careful! you know the rules, make someone doing something stupid actually look stupid and your right in the shite! like most politicians, these idiots are just the paid for mouth pieces of big companies, knowing less than nothing about the bills they are trying to force on to the public.

Re: HTTPS

I think it was intended to be used as an example of "what level of expertise has been used here".

As the article implies: "While I am not (for legal reasons) going to perform any kind of thorough audit of the two members' websites or email systems, even the most cursory evaluation is pretty informative."

IOW, if you can't even provide working https on your website when you already have the certificate, and the server has been configured to use it on other sites - are you a competent website admin?

there's an example to be made

Similar scenarios happen in shitty jobs every day. You see something that's a half-broken impediment to productivity or an embarrassment to the profession. You know it's been brought to the attention of management who don't understand or care or outright forbade you or anyone take any corrective measures. In an environment of zero mutual respect, i see this as call to ensure that said something gets broken the rest of the way in a manner which targets directly any claims made as to why it was unimportant.

Maybe we should call this the age of paranoid politics. Well not really looking at history is just impressive that after millenia we still do the same exact things that people did in antiquity or the middle ages.

People intelligent in one area or otherwise, that get to power suddenly believe they can regulate all other areas according to their own bias because everything that they experience is applicable to other areas, without having to respect true democratic values which where build exactly to address those shortcomings of top down BS management.

There is not a way to secure the internet, you can secure information for a short while anything that needs a long term secrecy about it should never transverse open channels but exclusive ones, punishing people for your own failings will not save you from people who want to do real harm since they don't care about the punishment, further trying to create cybersecurity BS bills that criminalize experimentation in security harms your own prospects to have the necessary people with the necessary skills to protect anything.

Yes you can disable the US navy through the internet it is doable because the navy uses the fucking open internet to communicate important data, it is possible to destroy a pump somewhere using SCADA which begs the question why are these dumb people allowing it to communicate over unsecure channels at all, most importantly it shows the weakness of central single point of failures, if they were really interested in securing the nation they would be thinking in decentralization and the P2P'fying of the entire vital infra-structure, production of energy should be distributed if possible to the family level, water needs should be met with new technologies for treatment and recycling inside a home and so forth then there is no risk from the internet anymore, it would become impossible to disable the country.

Taking those steps you reduce dramatically the apocalyptic scenarios that cyber-dumb people can come up with.

I am calling them cyber-dumb-people because that is what they are, they could be very knowledgeable in some other area but are completely stupid about how technology really works and what it can do and so are undermining democracy to get the feel of security, that can't be had by such measures but real work, real innovation, we are not going to secure America by legislating bad guys out they don't care, we will secure America the only way that is proven to work and that is innovating and working on the real solutions that will upset many deep rooted interests.

Re: Re:

1) This is wrong you can absolutely track where others go, you cannot track what is being transmitted unless you get hold of the private key, but that is not a problem for the American government since most key issuers are American companies that need to comply with American government demands even if they are not legally bond to do it because the government have an incredible leverage over those companies, which have a lot of dealings with government agencies.

Re:

Silly is your understanding of what was written, it is not about support for HTTPS, but how people in congress with all the tools layed out for them in the easiest way possible still manage to get the simple things wrong.

HTTPS is basic stuff, if you can't even get that right it really calls into question the other assumptions about how much those people involved really know about what they are talking about.

Re: Re: Re:

You misunderstand how https certificates are issued.

It is not necessary to reveal your private key to your certificate authority - and many website owners don't. Some CA's do create them for you if you're too lazy to do so yourself, however - so I could see how one might come to this conclusion.

Re: Re:

I can't reply seriously to your points because I didn't expect anyone to take my post seriously. I thought it was obvious that I was turning around the oft repeated mantra of, "If you have nothing to hide, you have nothing to fear from this bill."

It's not that I don't understand your points (I'm not in Congress, after all), I just can't bring myself to address them because I agree.

We have to ask a few questions first..

1. do you REALLY think they make/create their own sites??
2. if they have those that DO make the sites, do you THINK they are pro or NUBE?? which is cheaper?
3. Are you SURE they dont WANT their sites hacked? If they are, then they can MAKE A POINT..
4. do you REALLY think they know ANYTHING in the first place? How about the process of getting oil out of the ground and into your car and ALL the money WE pay in tax for OIL exploration..

WHO thinks that these idiots have their OWN servers and sites?? (NOT I)
And then they connect there other computers TO IT??(really stupid)

Re: Re:

I go there with chrome, and it red crosses out the https, meaning that the connection is not truly https. Basically, the page contains secure AND insecure items on the same page mixed, which makes it a fail.

It means that for all the HTTPS, a simple switcharoo on one of the insecure items could cause an issue.

Mike should know that... but he's too busy picking at other people's stuff to bother checking his own.

Re:

Trying to paint is as the industry standard is silly.

Are you honestly claiming that https is not the industry standard? Really?

Give me a break with the incessant whining about everything.

Only one person is whining here, and he's the goofy guy who shows up in the mirror when you look at it. The rest of us are having a serious discussion about something important. When you grow up, perhaps we'll let you join us.

Re: It would be instructive and useful if...

They would explain how the 'bad' cash being pushed in the wrong direction (to the people, not to the congress critters) is poisoning the public to the views that they have been demanding.... or something similarly silly.

Re: Re: Re: Re:

If you are asking for a connection to an IP address that IP address will be logged doesn't matter how much encryption there is, you still need to ask for an IP address, the only way to mask that is through a proxy, then you be anonymous, otherwise you are not only the contents of the connection are secure, but to whom you connected can be logged and tracked over time.

On the HTTPS thing most certificate authorities are not controlled by you, they are companies that issue certificates to a lot of other people and entities, in practical terms HTTPS today is controlled by those few companies unless you issued the keys yourself which is a rarity nowadays you have zero true security against governments, further even if you issue a certificate yourself if you want a lot of people to be able to trust it, you need to get it listed somewhere people trust the information otherwise when it hits a browser it will be shown as authority unknown with all the warnings to reject it so you need to get it listed somewhere and that means to create your own contacts and start contacting others to accept your certificate as valid not an easy task for the average Joe, doable if you don't ever need a public facing front and all the people that needs to know about the validity of the certificate knows you and are able to get it directly from you and thus register that into their systems.

Re: Re: Re: Re: Re:

HTTPS headers are encrypted that doesn't stop people from tracking the IP's and domains you visit.

Quote:

Everything in the HTTPS message is encrypted, including the headers, and the request/response load. With the exception of the possible CCA cryptographic attack described in limitations section below, the attacker can only know the fact that a connection is taking place between the two parties, already known to him, the domain name and IP addresses.

WHY THE FUCK are critical systems on the internet in the first place ?
Unconnected read only access as a monitoring device...ok but full access via the web is just ludicrous from a security standpoint.

Re: Re: Re: Re:

No, he demands less laws to make the internet "less secure", and we should all be perfect in how we host our sites and run our servers... yet, clearly, not everything is perfect in the land of Techdirt.

Re: Re: Re: Re: Re:

Congress can pass all the laws they want but idiots (read: government) will still leave their networks "less secure". Just more laws to punish those they despise and turn heads/wrist slap those they favor.

The governments big picture is they want to root out all that speak out against them. They want to exactly where they are, who they talk to, EVERYTHING. It's not far from what happened in Germany in the 1920's and 30's. Only this time its going a collective of all the major military forces of the world they call themselves NATO and UN. If the Nazi timeline holds in 5 to 20 years the military will start to process 95% of the population of the world. Some would say I'm paranoid. I would say that what they want you to think.

Re: Re:

Good Lord.

Are you honestly claiming that https is not the industry standard? Really?

I'm saying it's not industry standard to have https on every webpage--even TD is not https.

Only one person is whining here, and he's the goofy guy who shows up in the mirror when you look at it. The rest of us are having a serious discussion about something important. When you grow up, perhaps we'll let you join us.

All you do is whine about every little thing. You're the whiniest bitch on the internet, Mike.